The project HIVEXFS was prepared FUSE-module for mount registry Windows to any directory, and further work with the registry as a filesystem tree.

At the moment HIVEXFS already used in Dr.Web LiveCD, which found registers mounted by autofs directory / reg.

Catalogs the registry keys, files – parameters contents of the file – the value of the corresponding parameter. The default option is denoted by the file “@”, the parameter type is defined by the extended file attributes. The values parameters with type REG_SZ, REG_EXPAND_SZ, REG_LINK REG_DWORD or REG_QWORD, automatically converted into text (UTF-8) and back.

Used to mount the registry utility hivexfs. The first argument specifies the mount point windows-disc, the second argument – an empty directory:

sudo hivexfs / mnt / windows / mnt / registry

Examples of use:

NEW_VALUE create a parameter of type REG_SZ:

echo qwerty> NEW_VALUE

Let’s see the actual content:

attr-qg value NEW_VALUE | hexdump-C

00000000 71 00 77 00 65 00 72 00 74 00 79 00 0a 00 00 00 | qwerty …. |

As we can see it encoded string UTF-16LE, finish with two zeros.

Convertible to the type REG_DWORD:

# Attr-s type-V reg_dword NEW_VALUE

attr_set: Invalid argument
Could not set “type” for NEW_VALUE

An error because the string can not be translated into numbers, let’s try again:

# Echo 12345> NEW_VALUE

Attribute “type” set to a 9 byte value for NEW_VALUE: reg_dword

# Attr-g type NEW_VALUE

Attribute “type” had a 9 byte value for NEW_VALUE: REG_DWORD

# Attr-g size NEW_VALUE

Attribute “size” had a one byte value for NEW_VALUE: 4

# Cat NEW_VALUE: 12345

Supported operations:

See the available list of parameter types

attr-l [value]

See the parameter type the command:

getfattr-n user.type [value]
or
attr-g type [value]

The actual size of the parameter:

getfattr-n user.size [value]
or
attr-g size [value]

The actual contents of the parameter byte to byte:

getfattr – only-values-n user.value [value]
or
attr-qg value [value]

copy the best team ln (link), then copy all the attributes of the parameter. Cp command uses calls read and write, that string and numeric keys recode on the fly, in UTF-8 and back. So cp – it is very expensive to + or what he does not know the type of the parameter. Recursively copy a partition, use the command
cp-Rl [path1] [path2]

By default, a type REG_SZ, if the parameter is modified, its type does not change. Change the parameter type the command:

setfattr-n user.type-v [new_type] [value]
or
attr-s type-V [new_type] [value]

Modification of the settings for accessibility: REG_SZ, REG_EXPAND_SZ, REG_LINK, REG_BINARY, REG_DWORD, REG_QWORD. If you can not modify such an error.

If something went wrong, you can kill hivexfs process and undo the change, then there will be no dismantling of the changes to come into force.

There is a limitation: it is not possible to create a key or value with a name as national symbols.

Advertisements